Karbonn Sparkle V & Android One
Android One
Android One is a label that targets emerging markets. It specifies the minimum hardware requirements that a smartphone must have to be supported for 2 years by Google. This is one of the major opportunities for us in Mauritius. Some of you may think that it's too good to be true, but it exists, as I got myself an Android One phone !
Karbonn Sparkle V
I bought an android-one certified phone from an Indian Manufacturer Karbonn. Mine is the Karbonn Sparkle V. When I got it, It was still on Android 4.4. As soon as I configured the wifi, It offered the possibility to be updated to Android 5.0 . Many high end phones are still shipping with Android 4.4 today without any updates to Android 5.0.
- Display size: 4.5 inches
- CPU: Quad-core 1.3 GHz Cortex-A7
- Internal memory : 2GB
- GPU: Mali-400MP2
- RAM: 1GB
- Camera (back): 5 MP, 2592 х 1944 pixels, autofocus, LED flash
- Camera (front): 2MP
- GSM: 2G, 3G, 4G
User experience
Yesterday night, I updated to Android 5.1.1. UX-wise, the phone is very responsive, and snappy. My only complaint would be the lack of internal storage space. I think that 4GB would have been better. Another version of the Sparkle is currently brewing. I hope that Google bumps the hardware specs for the next Android One label. The price is very competitive: Rs 5700-5900 depending on where you buy it. Overall, I'm very happy with my purchase, and I definitely plan to buy another Android One phone at the end of this year.
Android One firmware

It is worth pointing out that Google offers 2 years of firmware update support. This is fantastic, as I get the equivalent of a Google Nexus phone, at a much more reasonable price. This is the major win for the Android One phones. Unlike manufacturers that tend to ignore firmware updates after 6 month, Google makes a smart move here.
--Logan
Improving NTP security against overflows
Saving the world ... on time !

The Network time protocol is a standard which is used to keep our computer's time accurate. The science involved in keeping clocks ticking on computers is far more complex than most people would assume.
As a comparison: The number of lines of code for University of Delaware NTP implementation -- which is the most widely deployed NTP software -- is slightly less than the source code of Internet Software Consortium's BIND product. I will spare us the details of the hair-pulling mathematics involved :)
Security record of Delaware NTP
I do not want to criticise the work of the past NTP developers. I am merely looking at the list of past vulnerabilities:
- Buffer overflow in crypto_recv()
- Buffer overflow in ctl_putdata()
- Buffer overflow in configure()
So what is a buffer overflow ? Let's use a picture to illustrate this:

As we can see here: The attacker keeps putting more sugar in the pan until it literally overflows. In computers, you can do the same thing. You can put more input than the storage location can accept, and you essentially overflow its content to the next adjcent storage location. There's one difference however: if you are smart, you can use the overflowing "sugar" to take control of the remote computer ! This is one of the classic ways to crack into a remote computer such as an NTP server, a Mac OS X laptop, or even a windows laptop. For geeks, you can put some "magic" in the overflowing sugar that executes "/bin/bash" and you can then run whatever you want on the NTP service.
Defeating overflows
I have extended the NTP memory allocator -- a manager which is in charge of allocating storage space in live memory -- and added an additional function that checks for buffer overflows that occur under certain conditions, namely multiplication. As I said previously, a lot of NTP involves complex mathematical calculations that can lead to vulnerabilities. This defeats an entire class of buffer overflows in NTP. Due to the large number of products that use University of Delaware NTP software, this is a significant step towards improving the Internet Security at large !
To put it in more simpler terms: We prevent the attacker from overflowing the pan with sugar. We have detectors in place that signal to the chef that something went wrong in the kitchen.
List of products using University of Delaware NTP software
I have attempted to list a few well known products which use University of Delaware NTP software. This is by no means, exhaustive:
- Various CISCO products.
- RedHat/CentOS Linux.
- Ubuntu Linux.
- Apple Macbooks.
- And many others
--Logan
Android One camera issue
Android One camera freeze

While attending a wedding today, I wanted to use my camera to record videos. When I switched to video mode, The application froze. Android reported that it was not able to connect to the camera.
Dark Powers of Linux to the rescue
Since Android was running a Linux kernel, I knew from experience that this was very likely a device driver module. Of course, since I did not have full access to the android kernel message log, I knew that it was based on my instinct :)
I still wanted to record the speeches about the responsibilities of Marriage from the gentleman who took his time to lecture the newly wed couple. So, I knew that I had to find a way to reset the camera. My idea was since I had switched to video mode before it froze, it probably remained in that state. I quickly killed the application, and reloaded it . Unsurpringly, it started directly in recording mode. I just had to click on record, and it did the trick.
My theory is that switching back and forth from camera to photo mode causes the driver to hang up with the Android kernel. Since my phone is supported by Google, I sent a report to them on the phone itself, including how to reproduce it :)
Google Android One rocks
Thanks to the support from Google, I can send bug reports to them, as the phone is supported for 2 years. Unlike other phone manufacturers, it's much better in my humble opinion.
--Logan